Use of device monitoring can help IoT systems to maintain their security throughout their installed life, even as threats continue to evolve.
For the IoT to ensure consumer privacy, protect corporate data, and deliver safe and reliable industrial control, it must incorporate security. Techniques used to protect IT systems are proving inadequate, however, because the IoT is too diverse with too many attack avenues for traditional edge protection to be successful. The key to long-term security may, instead, lie in monitoring device behavior to detect and react to security breaches.
The typical approach to providing security for connected devices focuses on prevention. Steps involved include using a secure development lifecycle to avoid introducing vulnerabilities, using trusted boot processes during power-up, using signed firmware updates to prevent firmware tampering, and conforming to industry standards for encryption. But these approaches only help protect against presently known forms of attack, and the attackers are continually improving their methods over time. How does one protect an IoT design against the unknown or unexpected, especially as threats continue to evolve?
This is a question that Duncan Jones, senior product manager at Arm, raised in his presentation “Securing IoT Devices by Design” at the recent IoT World conference. The answer, he maintains, lies in monitoring. If the IoT device or the infrastructure it connects to is continually monitoring device behavior, it may be possible to detect attacks as they are happening or determine that a device has been compromised. Once detected, a rapid response to the attack can prevent, or at least minimize, any damage.
There are many elements that can contribute to successful monitoring of an IoT device. One might monitor things like network traffic volume, device memory utilization, active thread count, CPU utilization, and device sleep time for unusual conditions (Figure 1). If a device’s operation is under attack or has already been compromised, it is likely to affect at least one of these parameters. A device monitor could also compare a device’s network connection attempt to a whitelist of approved addresses to determine if the device is trying to send information to an unauthorized destination.
Figure 1 Monitoring a device’s behavior within a variety or parameters can help detect cyberattacks. Source: Arm, IoT World Conference
Monitoring alone is not enough, of course. Once an attack or a compromised device has been detected, there must be an appropriate response. What constitutes “appropriate” may be application specific, however. In some cases, simply disabling a compromised device and accepting that it is no longer functional may be enough. A system might also log the device as suspicious and quarantine it until it can be repaired or re-verified. Performing a full device re-set and re-load of trusted software might be appropriate when loss of the device is not acceptable.
The advantage of monitoring as a security feature is that new or unexpected attacks can quickly be detected and mitigated, providing a device with protection during its full lifecycle even in the face of threat evolution. It can also be more cost-effective than providing regular firmware updates to keep up with threat evolution. Updates only become necessary when an attack occurs, which may never happen.
Fortunately for developers, device monitoring software is becoming available for developers to drop into their IoT designs, freeing them to concentrate on their system’s functional design. Arm, for instance, has its Pelion Device Management product available for a range of devices from constrained to feature-rich. Further, companies such as Microsoft and Amazon offer device monitoring with their IoT networking services.
The need to build security features into IoT devices is continuing to become more apparent and the importance of that security to IoT adoption is becoming clear. Use of device monitoring can help IoT systems to maintain their security throughout their installed life, even as threats continue to evolve. It is thus likely to prove a vital addition to the IoT developer’s toolbox.
This article was originally published on EDN.
Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.